Management and resolution of alarms based on historical alarms

ABSTRACT

The present disclosure describes methods, computer-readable media, and apparatuses supporting management and resolution of alarms of a communication network. In one example, management and resolution may include receiving a new alarm, determining an alarm resolution of the new alarm based on the new alarm and historical alarm information, and initiating an alarm resolution action for resolving the new alarm based on the alarm resolution of the new alarm. In one example, management and resolution may include maintaining historical alarm information for a set of historical alarms, receiving a new alarm, determining a set of similar alarms including one or more of the historical alarms similar to the new alarm, determining an alarm resolution for the new alarm based on the set of similar alarms similar to the new alarm, and initiating an alarm resolution action for resolving the new alarm based on the alarm resolution of the new alarm.

This application is a continuation of U.S. patent application Ser. No.16/872,015, filed May 11, 2020, now U.S. Pat. No. 11,212,161, which isherein incorporated by reference in its entirety.

The present disclosure relates generally to communication systems, andmore particularly to methods, computer-readable media, and apparatusesfor supporting management and resolution of alarms in communicationsystems.

BACKGROUND

The operation of communication networks by communication networkproviders often results in generation of various types of alarms whichneed to be analyzed and resolved by the communication network providers.For example, the operation of communication networks may result inalarms such as device alarms, security alarms, and the like. Ascommunication networks, and the numbers of devices and applicationssupported by the communication networks, continues to grow, the numberof alarms generated also continues to grow. Without improved handling ofalarms, this may result in cost increases, delays in alarm handlingtimes, and so forth. Accordingly, as the number of alarms continues togrow, communication network providers continue to seek ways to supportimproved handling of alarms.

SUMMARY

In one example, the present disclosure describes methods,computer-readable media, and apparatuses for supporting management andresolution of alarms of a communication network.

In one example, a method is performed by a processing system includingat least one processor. The method includes receiving, by the processingsystem, a set of alarm features of a first alarm. The method includesgenerating, by the processing system based on the set of alarm featuresof the first alarm, an alarm fingerprint of the first alarm. The methodincludes obtaining, by the processing system for a set of historicalalarms, a set of historical alarm information including, for each of thehistorical alarms in the set of historical alarms, a respective alarmfingerprint of the historical alarm and a respective alarm resolution ofthe historical alarm. The method includes determining, by the processingsystem based on the alarm fingerprint of the first alarm and therespective alarm fingerprints of the historical alarms, a set of similaralarms including one or more of the historical alarms determined to besimilar to the first alarm, wherein the determining of the set ofsimilar alarms includes comparing the alarm fingerprint of the firstalarm with the respective alarm fingerprints of the historical alarms,based on a similarity metric, to obtain a respective set of similarityvalues associated with the respective historical alarms. The methodincludes determining, by the processing system based on one or moresimilarity values of respective one or more historical alarms in the setof similar alarms and respective one or more alarm resolutions of therespective one or more historical alarms in the set of similar alarms,an alarm resolution of the first alarm. The method includes initiating,by the processing system based on the alarm resolution of the firstalarm, an alarm resolution action configured to resolve the first alarm.

In one example, a computer-readable medium stores instructions which,when executed by a processing system, cause the processing system toperform operations. The operations include receiving a set of alarmfeatures of a first alarm. The operations include generating, based onthe set of alarm features of the first alarm, an alarm fingerprint ofthe first alarm. The operations include obtaining, for a set ofhistorical alarms, a set of historical alarm information including, foreach of the historical alarms in the set of historical alarms, arespective alarm fingerprint of the historical alarm and a respectivealarm resolution of the historical alarm. The operations includedetermining, based on the alarm fingerprint of the first alarm and therespective alarm fingerprints of the historical alarms, a set of similaralarms including one or more of the historical alarms determined to besimilar to the first alarm, wherein the determining of the set ofsimilar alarms includes comparing the alarm fingerprint of the firstalarm with the respective alarm fingerprints of the historical alarms,based on a similarity metric, to obtain a respective set of similarityvalues associated with the respective historical alarms. The operationsinclude determining, based on one or more similarity values ofrespective one or more historical alarms in the set of similar alarmsand respective one or more alarm resolutions of the respective one ormore historical alarms in the set of similar alarms, an alarm resolutionof the first alarm. The operations include initiating, based on thealarm resolution of the first alarm, an alarm resolution actionconfigured to resolve the first alarm.

In one example, an apparatus includes a processing system including atleast one processor and a computer-readable medium storing instructionswhich, when executed by the processing system, cause the processingsystem to perform operations. The operations include receiving a set ofalarm features of a first alarm. The operations include generating,based on the set of alarm features of the first alarm, an alarmfingerprint of the first alarm. The operations include obtaining, for aset of historical alarms, a set of historical alarm informationincluding, for each of the historical alarms in the set of historicalalarms, a respective alarm fingerprint of the historical alarm and arespective alarm resolution of the historical alarm. The operationsinclude determining, based on the alarm fingerprint of the first alarmand the respective alarm fingerprints of the historical alarms, a set ofsimilar alarms including one or more of the historical alarms determinedto be similar to the first alarm, wherein the determining of the set ofsimilar alarms includes comparing the alarm fingerprint of the firstalarm with the respective alarm fingerprints of the historical alarms,based on a similarity metric, to obtain a respective set of similarityvalues associated with the respective historical alarms. The operationsinclude determining, based on one or more similarity values ofrespective one or more historical alarms in the set of similar alarmsand respective one or more alarm resolutions of the respective one ormore historical alarms in the set of similar alarms, an alarm resolutionof the first alarm. The operations include initiating, based on thealarm resolution of the first alarm, an alarm resolution actionconfigured to resolve the first alarm.

In one example, a method is performed by a processing system includingat least one processor. The method includes receiving, by a processingsystem of a first communication network, a set of alarm features of afirst alarm. The method includes determining, by the processing systembased on the set of alarm features of the first alarm, an alarmfingerprint of the first alarm. The method includes encoding, by theprocessing system, the alarm fingerprint of the first alarm to form anencoded alarm fingerprint of the first alarm. The method includessending, by the processing system toward a second communication network,a query including the encoded alarm fingerprint of the first alarm. Themethod includes receiving, by the processing system from the secondcommunication network, a query response including a set of similarencoded alarm fingerprints associated with a respective set of alarms ofthe second communication network, wherein the similar encoded alarmfingerprints in the set of similar encoded alarm fingerprints areidentified as being similar to the encoded alarm fingerprint of thefirst alarm based on a similarity metric configured to determinesimilarity between encoded data structures. The method includesdetermining, by the processing system based on an analysis of the set ofsimilar encoded alarm fingerprints, a management action related to thefirst alarm. The method includes initiating, by the processing system,the management action related to the first alarm.

In one example, a computer-readable medium stores instructions which,when executed by a processing system, cause the processing system toperform operations. The operations include receiving, by a processingsystem of a first communication network, a set of alarm features of afirst alarm. The operations include determining, by the processingsystem based on the set of alarm features of the first alarm, an alarmfingerprint of the first alarm. The operations include encoding, by theprocessing system, the alarm fingerprint of the first alarm to form anencoded alarm fingerprint of the first alarm. The operations includesending, by the processing system toward a second communication network,a query including the encoded alarm fingerprint of the first alarm. Theoperations include receiving, by the processing system from the secondcommunication network, a query response including a set of similarencoded alarm fingerprints associated with a respective set of alarms ofthe second communication network, wherein the similar encoded alarmfingerprints in the set of similar encoded alarm fingerprints areidentified as being similar to the encoded alarm fingerprint of thefirst alarm based on a similarity metric configured to determinesimilarity between encoded data structures. The operations includedetermining, by the processing system based on an analysis of the set ofsimilar encoded alarm fingerprints, a management action related to thefirst alarm. The operations include initiating, by the processingsystem, the management action related to the first alarm.

In one example, an apparatus includes a processing system including atleast one processor and a computer-readable medium storing instructionswhich, when executed by the processing system, cause the processingsystem to perform operations. The operations include receiving, by aprocessing system of a first communication network, a set of alarmfeatures of a first alarm. The operations include determining, by theprocessing system based on the set of alarm features of the first alarm,an alarm fingerprint of the first alarm. The operations includeencoding, by the processing system, the alarm fingerprint of the firstalarm to form an encoded alarm fingerprint of the first alarm. Theoperations include sending, by the processing system toward a secondcommunication network, a query including the encoded alarm fingerprintof the first alarm. The operations include receiving, by the processingsystem from the second communication network, a query response includinga set of similar encoded alarm fingerprints associated with a respectiveset of alarms of the second communication network, wherein the similarencoded alarm fingerprints in the set of similar encoded alarmfingerprints are identified as being similar to the encoded alarmfingerprint of the first alarm based on a similarity metric configuredto determine similarity between encoded data structures. The operationsinclude determining, by the processing system based on an analysis ofthe set of similar encoded alarm fingerprints, a management actionrelated to the first alarm. The operations include initiating, by theprocessing system, the management action related to the first alarm.

BRIEF DESCRIPTION OF THE DRAWINGS

The teachings of the present disclosure can be readily understood byconsidering the following detailed description in conjunction with theaccompanying drawings, in which:

FIG. 1 illustrates an example system configured to support managementand resolution of alarms of a communication network;

FIG. 2 illustrates an example process for supporting management andresolution of alarms of a communication network;

FIG. 3 illustrates a flowchart of an example method for supportingmanagement and resolution of alarms of a communication network;

FIG. 4 illustrates a flowchart of an example method for supportingmanagement and resolution of alarms of a communication network; and

FIG. 5 illustrates a high level block diagram of a computing systemspecifically programmed to perform the steps, functions, blocks and/oroperations described herein.

To facilitate understanding, identical reference numerals have beenused, where possible, to designate identical elements that are common tothe figures.

DETAILED DESCRIPTION

In one example, the present disclosure describes methods,computer-readable media, and apparatuses for supporting management andresolution of alarms of a communication network. In one example,management and resolution of alarms of a communication network mayinclude receiving a new alarm, determining an alarm resolution of thenew alarm based on the new alarm and historical alarm information ofhistorical alarms, and initiating an alarm resolution action forresolving the new alarm based on the alarm resolution of the new alarm.In one example, management and resolution of alarms of a communicationnetwork may include maintaining a set of historical alarms (e.g., alarmfeatures, alarm fingerprints representing alarm features, alarmresolutions, and the like), receiving a new alarm (e.g., including alarmfeatures, having alarm features PATENT associated therewith, and thelike), determining a set of similar alarms including one or more of thehistorical alarms determined to be similar to the new alarm (e.g., basedon comparison of an alarm fingerprint of the new alarm to alarmfingerprints of historical alarms based on a similarity metric),determining an alarm resolution for the new alarm based on the set ofsimilar alarms similar to the new alarm (e.g., based on similarityvalues (or scores) indicative of similarity of the new alarm to ones ofthe similar alarms in the set of similar alarms, alarm resolutions ofones of the similar alarms in the set of similar alarms, and the like),and initiating an alarm resolution action for resolving the new alarmbased on the alarm resolution of the new alarm (e.g., a blocking action,a configuration action, a notification action, and the like). In oneexample, management and resolution of alarms of a communication networkmay include providing encoded alarm information to one or more thirdparty entities (e.g., one or more customers of the communication networkprovider of the communication network), which may include pushingencoded alarm fingerprints, providing encoded alarm fingerprints inresponse to queries, and the like. It will be appreciated thatmanagement and resolution of alarms of a communication network may beperformed for various types of alarms which may be associated with acommunication network (e.g., device alarms, network alarms, servicealarms, security alarms, and the like). These and other aspects of thepresent disclosure for supporting management and resolution of alarmsare discussed in greater detail below in connection with the examples ofFIGS. 1-5.

FIG. 1 illustrates an example system configured to support managementand resolution of alarms of a communication network. The system 100 mayinclude any number of interconnected networks which may use the same ordifferent communication technologies. As illustrated in FIG. 1, system100 may include a network 105, e.g., a telecommunication network.

In one example, the network 105 may include a backbone network, ortransport network, such as an Internet Protocol (IP)/multi-protocollabel switching (MPLS) network, where label switched paths (LSPs) can beassigned for routing Transmission Control Protocol (TCP)/IP packets,User Datagram Protocol (UDP)/IP packets, and other types of protocoldata units (PDUs) (broadly “traffic”). However, it will be appreciatedthat the present disclosure is equally applicable to other types of dataunits and network protocols. For instance, the network 105 mayalternatively or additionally include components of a cellular corenetwork, such as a Public Land Mobile Network (PLMN), a General PacketRadio Service (GPRS) core network, and/or an evolved packet core (EPC)network, an Internet Protocol Multimedia Subsystem (IMS) network, aVoice over Internet Protocol (VoIP) network, and so forth. In oneexample, the network 105 uses a network function virtualizationinfrastructure (NFVI), e.g., servers in a data center or data centersthat are available as host devices to host virtual machines (VMs)including virtual network functions (VNFs). In other words, at least aportion of the network 105 may incorporate software-defined network(SDN) components. In this regard, it should be noted that, as referredto herein, “traffic” may include all or a portion of a transmission,e.g., a sequence or flow, including one or more packets, segments,datagrams, frames, cells, PDUs, service data unit, bursts, and so forth.The particular terminology or types of data units involved may varydepending upon the underlying network technology. Thus, the term“traffic” is intended to refer to any quantity of data to be sent from asource to a destination through one or more networks.

In one example, the network 105 may be in communication with networks160 and networks 170. Networks 160 and 170 may each include a wirelessnetwork (e.g., an Institute of Electrical and Electronics Engineers(IEEE) 802.11/Wi-Fi network and the like), a cellular access network(e.g., a Universal Terrestrial Radio Access Network (UTRAN) or anevolved UTRAN (eUTRAN), and the like), a circuit switched network (e.g.,a public switched telephone network (PSTN)), a cable network, a digitalsubscriber line (DSL) network, a metropolitan area network (MAN), anInternet service provider (ISP) network, a peer network, and the like.In one example, the networks 160 and 170 may include different types ofnetworks. In another example, the networks 160 and 170 may be the sametype of network. The networks 160 and 170 may be controlled or operatedby a same entity as that of network 105 or may be controlled or operatedby one or more different entities. In one example, the networks 160 and170 may include separate domains, e.g., separate routing domains fromthe network 105. In one example, networks 160 and/or networks 170 mayrepresent the Internet in general.

In one example, network 105 may transport traffic to and from userdevices 141-143. For instance, the traffic may relate to communicationssuch as voice telephone calls, video and other multimedia, textmessaging, emails, and so forth among the user devices 141-143, orbetween the user devices 141-143 and other devices that may beaccessible via networks 160 and 170. For instance, the traffic mayrelate to management actions performed on the network 105 (e.g.,management actions such as create/update/delete (CRUD) operations,queries, and so forth). User devices 141-143 may include, for example,cellular telephones, smart phones, personal computers, other wirelessand wired computing devices, private branch exchanges, customer edge(CE) routers, media terminal adapters, cable boxes, home gateways and/orrouters, and so forth.

In one example, user devices 141-143 may communicate with or maycommunicate via network 105 in various ways. For example, user device141 may include a cellular telephone which may connect to network 105via network 170, e.g., a cellular access network. For instance, such anexample network 170 may include one or more cell sites, e.g., includinga base transceiver station (BTS), a NodeB, an evolved NodeB (eNodeB), orthe like (broadly a “base station”), a remote radio head (RRH) andbaseband unit, a base station controller (BSC) or radio networkcontroller (RNC), and so forth. In addition, in such an example,components 183 and 184 in network 105 may include a serving gateway(SGW), a mobility management entity (MME), or the like. In one example,user device 142 may include a customer edge (CE) router which mayprovide access to network 105 for additional user devices (not shown)which may be connected to the CE router. For instance, in such anexample, component 185 may include a provider edge (PE) router.

In one example, various components of network 105 may include virtualnetwork functions (VNFs) which may physically include hardware executingcomputer-readable/computer-executable instructions, code, and/orprograms to perform various functions. As illustrated in FIG. 1, units123 and 124 may reside on a network function virtualizationinfrastructure (NFVI) 113, which is configurable to perform a broadvariety of network functions and services. For example, NFVI 113 mayinclude shared hardware, e.g., one or more host devices including linecards, central processing units (CPUs), or processors, memories to holdcomputer-readable/computer-executable instructions, code, and/orprograms, and so forth. For instance, in one example unit 123 may beconfigured to be a firewall, a media server, a Simple Network Managementprotocol (SNMP) trap, etc., and unit 124 may be configured to be a PErouter, e.g., a virtual provide edge (VPE) router, which may provideconnectivity to network 105 for user devices 142 and 143. In oneexample, NFVI 113 may represent a single computing device. Accordingly,units 123 and 124 may physically reside on the same host device. Inanother example, NFVI 113 may represent multiple host devices such thatunits 123 and 124 may reside on different host devices. In one example,unit 123 and/or unit 124 may have functions that are distributed over aplurality of host devices. For instance, unit 123 and/or unit 124 may beinstantiated and arranged (e.g., configured/programmed viacomputer-readable/computer-executable instructions, code, and/orprograms) to provide for load balancing between two processors andseveral line cards that may reside on separate host devices.

In one example, network 105 may also include an additional NFVI 111. Forinstance, unit 121 may be hosted on NFVI 111, which may include hostdevices having the same or similar physical components as NFVI 113. Inaddition, NFVI 111 may reside in a same location or in differentlocations from NFVI 113. As illustrated in FIG. 1, unit 121 may beconfigured to perform functions of an internal component of network 105.For instance, due to the connections available to NFVI 111, unit 121 maynot function as a PE router, a SGW, a MME, a firewall, etc. Instead,unit 121 may be configured to provide functions of components that donot utilize direct connections to components external to network 105,such as a call control element (CCE), a media server (MS), a domain nameservice (DNS) server, a packet data network (PDN) gateway (PGW), agateway mobile switching center (GMSC), a short message service center(SMSC), and the like.

In one example, network 105 includes a software defined network (SDN)controller 150. In one example, the SDN controller 150 may include acomputing device or processing system (e.g., a server), such ascomputing system 500 depicted in FIG. 5, and may be configured toprovide one or more operations or functions in connection with examplesof the present disclosure for supporting management and resolution ofalarms of a communication network.

In one example, NFVI 111 and unit 121, and NFVI 113 and units 123 and124 may be controlled and managed by the SDN controller 150. Forinstance, in one example, SDN controller 150 is responsible for suchfunctions as provisioning and releasing instantiations of VNFs toperform the functions of routers, switches, and other devices,provisioning routing tables and other operating parameters for the VNFs,and so forth. In one example, SDN controller 150 may maintaincommunications with VNFs and/or host devices/NFVI via a number ofcontrol links which may include secure tunnels for signalingcommunications over an underling IP infrastructure of network 105. Inother words, the control links may include virtual links multiplexedwith transmission traffic and other data traversing network 105 andcarried over a shared set of physical links. For ease of illustrationthe control links are omitted from FIG. 1. In one example, the SDNcontroller 150 also may include a virtual machine operating on NFVI/hostdevice(s), or may include a dedicated device. For instance, SDNcontroller 150 may be collocated with one or more VNFs, or may bedeployed in a different host device or at a different physical location.

In one example, the functions of SDN controller 150 may include theselection of NFVI from among various NFVI available in network 105(e.g., NFVI 111 or 113) to host various devices (e.g., routers,gateways, switches, and the like) and the instantiation of such devices.For example, with respect to units 123 and 124, SDN controller 150 maydownload computer-executable/computer-readable instructions, code,and/or programs (broadly “configuration code”) for units 123 and 124respectively, which when executed by a processor of the NFVI 113, maycause the NFVI 113 to perform as a PE router, a gateway, a routereflector, a SGW, a MME, a firewall, a media server, a DNS server, aPGW, a GMSC, a SMSC, a CCE, and so forth. In one example, SDN controller150 may download the configuration code to the NFVI 113. In anotherexample, SDN controller 150 may instruct the NFVI 113 to load theconfiguration code previously stored on NFVI 113 and/or to retrieve theconfiguration code from another device in network 105 that may store theconfiguration code for one or more VNFs. The functions of SDN controller150 may also include releasing or decommissioning unit 123 and/or unit124 when no longer required, the transferring of the functions of units123 and/or 124 to different NFVI, e.g., when NFVI 113 is taken offline,and so on.

In one example, SDN controller 150 may represent a processing systemincluding a plurality of controllers, e.g., a multi-layer SDNcontroller, one or more federated layer-0/physical layer SDNcontrollers, and so forth. For instance, a multi-layer SDN controllermay be responsible for instantiating, tearing down, configuring,reconfiguring, and/or managing layer-2 and/or layer-3 VNFs (e.g., anetwork switch, a layer-3 switch and/or a router, and the like), whereasone or more layer-0 SDN controllers may be responsible for activatingand deactivating optical networking components, for configuring andreconfiguring the optical networking components (e.g., to providecircuits/wavelength connections between various nodes or to be placed inidle mode), for receiving management and configuration information fromsuch devices, and so forth. In one example, the layer-0 SDNcontroller(s) may in turn be controlled by the multi-layer SDNcontroller. For instance, each layer-0 SDN controller may be assigned tonodes/optical components within a portion of the network 105. Inaddition, these various components may be co-located or distributedamong a plurality of different dedicated computing devices or sharedcomputing devices (e.g., NFVI) as described herein.

In one example, the network 105 may also include internal nodes 131-135,which may include various components, such as routers, switches, routereflectors, and the like, cellular core network, IMS network, and/orVoIP network components, and so forth. In one example, these internalnodes 131-135 also may include VNFs hosted by and operating onadditional NFVIs. For instance, as illustrated in FIG. 1, internal nodes131 and 135 may include VNFs residing on additional NFVI (not shown)that are controlled by SDN controller 150 via additional control links.However, at least a portion of the internal nodes 131-135 may includededicated devices or components, e.g., non-SDN reconfigurable devices.

In one example, the network 105 may also include components 181 and 182,e.g., PE routers interfacing with networks 160, and component 185, e.g.,a PE router which may interface with user device 142. For instance, inone example, network 105 may be configured such that user device 142(e.g., a CE router) is dual-homed. In other words, user device 142 mayaccess network 105 via either or both of unit 124 and component 185. Asmentioned above, components 183 and 184 may include a serving gateway(SGW), a mobility management entity (MME), or the like. However, inanother example, components 183 and 184 also may include PE routersinterfacing with network(s) 170, e.g., for non-cellular network-basedcommunications. In one example, components 181-185 also may include VNFshosted by and operating on additional NFVI. However, in another example,at least a portion of the components 181-185 may include dedicateddevices or components.

In one example, the network 105 includes an alarm management system(AMS) 190 configured to support management and resolution of alarmsrelated to the network 105. In one example, the AMS 190 may beconfigured to perform alarm management and resolution functions foralarms related to the network 105. The AMS 190 may receive alarmsrelated to the network 105, analyze the alarms related to the network105 to determine similarity to historical alarms related to the network105, determine alarm resolutions for the alarms related to the network105 based on similarity to historical alarms related to the network 105,and initiate alarm resolution actions for resolving the alarms relatedto the network 105 based on the alarm resolutions for the alarms relatedto the network 105. The AMS 190 also may be configured to, within thecontext of performing various alarm management and resolution functions,provide alarm management information (e.g., alarms, alarm analysisresults, alarm resolutions, and the like) to various elements andentities which, as illustrated in FIG. 1, may include communicationnetwork provider elements 191 and/or third party entities 192. Theoperation of AMS 190 in performing such functions is discussed furtherwithin the context of FIG. 1 and may be further understood by way ofreference to the example process of FIG. 2 and the example methods ofFIG. 3 and FIG. 4.

The AMS 190 may be configured to receive alarms related to the network105. The network 105 supports various communications and services, andvarious problems associated with support for such communications andservices may result in generation of various network element alarms ornetwork service alarms which may be provided to the AMS 190. The network105 may face various types of attacks which may be directed against thenetwork 105, and the detection of such attacks may result in generationof various security alarms which may be provided to the AMS 190. The AMS190 may receive various other types of alarms related to the network105. The AMS 190 may receive the alarms from elements of the network 105(e.g., AMS 190 is depicted as being in communication with variouselements of the network 105 and may receive alarms from various elementsof the network 105), elements included within or otherwise associatedwith the network 105 (e.g., element management systems, networkmanagement systems, service management systems, security managementsystems, and the like, which have been omitted for purposes of clarity),and so forth. It will be appreciated that the AMS 105 may receivevarious other types of alarms, may receive alarms from various othersources of alarms, and so forth.

The AMS 190 may be configured to analyze the alarms related to thenetwork 105 to determine similarity to historical alarms related to thenetwork 105. The AMS 190 may analyze the alarms related to the network105, to determine similarity to historical alarms related to the network105, based on use of one or more similarity metrics which may be used toevaluate similarity between alarm features of alarms (e.g., using one ormore distance-based metrics).

The AMS 190 may be configured to determine alarm resolutions for thealarms related to the network 105 based on similarity to historicalalarms related to the network 105. The AMS 190 may determine alarmresolutions for the alarms related to the network 105 based onhistorical alarm information of historical alarms related to the network105 which are identified as being similar to the alarms related to thenetwork 105 (e.g., based on use of past resolutions used for similaralarms within the network 105).

The AMS 190 may be configured to initiate alarm resolution actions viathe network 105 for resolving the alarms related to the network 105based on the alarm resolutions for the alarms related to the network105. The AMS 190 may initiate alarm resolution actions such as blockingan end device, reconfiguring a network element of the network 105,sending a notification related to a device, and the like.

The AMS 190, as indicated above, may be configured to provide alarmmanagement information (e.g., alarms, alarm fingerprints, alarmresolutions, alarm analysis results, and the like) to variouscommunication network provider elements 191. The communication networkprovider elements 191 may be elements of the communication networkprovider which operates the network 105. For example, the communicationnetwork provider elements 191 may include one or more network elements,one or more management systems (e.g., element management systems,network management systems, and the like), one or more networkoperations center (NOC) systems or devices (e.g., for review, analysis,and resolution by automated alarm analysis functions, human alarmanalysts, and the like), and so forth. It will be appreciated that thecommunication network provider elements 191 may include various otherelements of the communication network provider which may be involved inalarm management and resolution for the communication network provider.

The AMS 190, as indicated above, may be configured to providealarm-related information to various third party entities 192. The thirdparty entities 192 may be entities which are not entities of thecommunication network provider, but which may be affiliated with thecommunication network provider (e.g., enterprise customers or otherentities). For example, the third party entities 192 may include one ormore network elements, one or more management systems, one or moreservice operations center (SOC) systems or devices, and so forth. Itwill be appreciated that the alarm management information will beencoded before being provided to the third party entities 192, therebyprotecting information under the control of the communication networkprovider (e.g., private information of the communication networkprovider, personal information of customers of the communication networkprovider, and the like) while also enabling third party entities toobtain and use alarm management information (e.g., for trend analysis,network management, or other purposes).

In one example, the AMS 190 may include a computing device or processingsystem, such as computing system 500 depicted in FIG. 5, and may beconfigured to provide one or more operations or functions in connectionwith examples of the present disclosure for supporting management andresolution of alarms.

It should be noted that the system 100 has been simplified. In otherwords, the system 100 may be implemented in a different form than thatillustrated in FIG. 1. For example, the system 100 may be expanded toinclude additional networks, such as a network operations center (NOC)network, and additional network elements (not shown) such as borderelements, routers, switches, policy servers, security devices, gateways,content distribution networks (CDNs), and the like, without altering thescope of the present disclosure. In addition, system 100 may be alteredto omit various elements, substitute elements for devices that performthe same or similar functions and/or combine elements that areillustrated as separate devices. In one example, AMS 190 and/or otherelements may include functions that are spread across several devicesthat operate collectively as an AMS 190. Thus, these and othermodifications of the system 100 are all contemplated within the scope ofthe present disclosure.

FIG. 2 illustrates an example process for supporting management andresolution of alarms of a communication network. The example process 200presented with respect to FIG. 2 may be performed by an alarm managementsystem (AMS) 201. In one example, the AMS 201 of FIG. 2 may be used asthe AMS 190 presented with respect to FIG. 1; however, it will beappreciated that the AMS 201 of FIG. 2 also may be used in various otheralarm management contexts.

In the example process 200, the AMS 201 is configured to supportmanagement and resolution of alarms. The management and resolution ofalarms by the AMS 201 may be further understood by first consideringvarious aspects of alarms and the manner in which such aspects of alarmsmay be used to support management and resolution of alarms. In general,an alarm (which may be denoted as alarm Ai) may have a set of alarmfeatures associated therewith (e.g., alarm features include within thealarm, alarm features determined from one or more elements or systemsbased on information included within the alarm, and the like). The alarmfeatures of an alarm may vary for different type of alarms. For example,for an alarm that is a security alarm, the alarm features of the alarmmay include alarm features such as a malicious IP address, a malwarename, a location of origin (e.g., continent of origin, country oforigin, and the like), temporal information (e.g., day of week, time ofday, and the like), an application, a programming language, a protocol,a port number, a malware signature, a command and control address, andthe like. It will be appreciated that various types of alarms mayinclude various different combinations of alarm features. The alarmfeatures of an alarm may be maintained as a feature set (which, for analarm Ai, may be represented as Ai={Fi1, Fi2, . . . , Fin}). The alarmmay be represented using an alarm fingerprint generated for the alarmbased on the alarm features of the alarm. The alarm fingerprint of analarm may include hashed representations of the alarm features of thealarm (which, for an alarm Ai, may be represented asfingerprint(Ai)={hash(Fi1), hash(Fi2), . . . , hash(Fin})). The alarmfeatures of an alarm may be hashed, to form the alarm fingerprint of thealarm, based on various types of hashing algorithms such as a SecureHash Algorithm (e.g., using SHA-3, SHA-2 with hash functions such asSHA-512 and SHA-256, and the like) or other suitable hashing algorithms.The alarm fingerprint of an alarm may be encoded to protect theinformation of the alarm. The alarm fingerprint of an alarm may beencoded, to form the encoded alarm fingerprint, based on various typesof encoding mechanisms (e.g., Bloom filters or other types of encodingmechanisms). The AMS 201, as discussed further below, may be configuredto support various alarm management and resolution functions which maybe used to support handling of such alarms.

In the example process 200, the AMS 201 maintains historical alarminformation 210 for a set of historical alarms which were previouslyhandled by the AMS 201 and which may be used by the AMS 201 for handlingnew alarms. The historical alarms are depicted as alarms A1 . . . An.The n historical alarms which are considered in evaluating a new alarmmay include all available historical alarms or a subset of the availablehistorical alarms (e.g., the n most recent historical alarms, n alarmsselected as a subset of the available historical alarms based on one ormore conditions, and the like). The historical alarm information 210 forthe set of historical alarms may include, for each of the historicalalarms, the historical alarm (e.g., including the alarm features of thehistorical alarm), the alarm fingerprint of the historical alarm (e.g.,hashes of the alarm features of the historical alarm), the encoded alarmfingerprint of the historical alarm, alarm resolution information forthe historical alarm (e.g., an alarm resolution type of the historicalalarm, a description of the alarm resolution of the historical alarm, aset of alarm resolution actions performed for resolving the historicalalarm, one or more methods or procedures used for resolving thehistorical alarm, and the like), and so forth.

In the example process 200, the AMS 201 receives a new alarm anddetermines new alarm information 220 associated with the new alarm. Thenew alarm is depicted as new alarm Ai. The new alarm has a set of alarmfeatures associated therewith (e.g., alarm features included within thenew alarm, alarm features determined based on investigation of thealarm, and the like). The AMS 201 obtains the alarm features of the newalarm. The AMS 201 generates an alarm fingerprint of the new alarm. Thealarm fingerprint of the new alarm may include the alarm features of thenew alarm, hashes of the alarm features of the new alarm, and the like.The AMS 201 also may generate an encoded alarm fingerprint of the alarmfingerprint of the new alarm. The encoding of the alarm fingerprint toform the encoded alarm fingerprint may be based on various encodingmechanisms (e.g., using Bloom filters or other suitable encodingmechanisms). The new alarm information 220 for the new alarm may includethe new alarm, the alarm fingerprint of the new alarm, and so forth.

In the example process 200, the AMS 201 determines, using the new alarminformation 220 of the new alarm and the historical alarm information210 of the set of historical alarms, a set of similar alarms for the newalarm. The similar alarms are depicted as similar alarms A1 . . . Ax,where the range of 1 to x may represent the fact that one or more of then historical alarms may be included within the set of similar alarms(i.e., 1≤x≤n). The set of similar alarms for the new alarm may be usedfor determining an alarm resolution of the new alarm. The set of similaralarms for the new alarm may include one or more of the historicalalarms determined to be similar to the new alarm. The set of similaralarms similar to the new alarm may be determined based on similarity ofthe set of alarm features of the new alarm to the sets of features ofthe historical alarms, which may be evaluated based on comparisons,based on a similarity metric, of the alarm fingerprint of the new alarmto the alarm fingerprints of the historical alarms. The set of similaralarms similar to the new alarm which are initially determined based onsimilarity of alarm fingerprints based on a similarity metric may befurther refined based on one or more conditions (e.g., conditions tolimit the number of similar alarms used for determining the alarmresolution of the new alarm, conditions to select a subset of thesimilar alarms that are more likely to be useful in determining an alarmresolution of the new alarm, and the like). In one example, the set ofsimilar alarms similar to the new alarm may be determined by an alarmsimilarity function 202 of the AMS 201. The set of similar alarmssimilar to the new alarm, which may include one or more of thehistorical alarms, may be used to determine an alarm resolution of thenew alarm.

The set of similar alarms similar to the new alarm may be determinedbased on comparison of the new alarm (based on the new alarm information220 of the new alarm) to each of the historical alarms (based on thehistorical alarm information 210 of the historical alarms). Thecomparison of the new alarm to the historical alarms may be based oncomparison of the alarm features of the new alarm to the alarm featuresof the historical alarms. The comparison of the alarm features of thenew alarm to the alarm features of the historical alarms may be based oncomparison of the alarm fingerprint of the new alarm to alarmfingerprints of the historical alarms. The comparison of the alarmfingerprint of the new alarm to the alarm fingerprints of the historicalalarms may be based on a similarity metric configured to measuresimilarity between a pair of alarm fingerprints of a pair of alarms(namely, between the alarm fingerprint of the new alarm and each of thealarm fingerprints of each of the historical alarms). The similaritymetric may be a distance-based metric configured to measure distancebetween a pair of alarm fingerprints of a pair of alarms or othersuitable metric which may be used to determine similarity between a pairof alarm fingerprints of a pair of alarms. For example, the similaritymetric may be a Jaccard similarity metric or other suitable metric whichmay be used to determine a distance between a pair of alarm fingerprintsof a pair of alarms. For example, where a Jaccard similarity metric isused, the distance between a pair of alarm fingerprint of a pair ofalarms may be computed as follows: d(Ai,Aj)=|Ai∩Aj|/|Ai∪Aj|, where Aimay represent the alarm fingerprint of the new alarm and Aj mayrepresent the alarm fingerprint of the historical alarm that is beingcompared to the new alarm. The determination, based on a similaritymetric, as to whether to add an historical alarm to the set of similaralarms for the new alarm may include determining a similarity valueindicative of a similarity of the alarm fingerprint of the new alarm tothe alarm fingerprint of the historical alarm and comparing thesimilarity value to a similarity threshold for determining whether toadd the historical alarm to the set of similar alarms. The similarityvalue and the similarity threshold used to evaluate the similarity valuemay be determined based on the similarity metric. If the similaritybetween the alarm fingerprint of the new alarm and the alarm fingerprintof the historical alarm does not satisfy the similarity threshold (e.g.,the determined similarity value, such as the distance d(Ai,Aj) where theJaccard similarity metric is used, is less than the similaritythreshold), then the historical alarm is not selected as a similar alarmand, thus, not included in the set of similar alarms similar to the newalarm. If the similarity between the alarm fingerprint of the new alarmand the alarm fingerprint of the historical alarm satisfies thesimilarity threshold (e.g., the determined similarity value, such as thedistance d(Ai,Aj) where the Jaccard similarity metric is used, isgreater than the similarity threshold), then the historical alarm isselected as a similar alarm and, thus, included in the set of similaralarms similar to the new alarm. In one example, the similarity valuesmay be determined based on weighting of alarm features of the alarmsbeing compared. It will be appreciated that the set of similar alarms,including one or more of the historical alarms determined to be similarto the new alarm, may be determined in various other ways (e.g., basedon use of other types of similarity metrics, based on use of similaritymetrics in other ways, and the like).

The set of similar alarms similar to the new alarm that is used todetermine an alarm resolution for the new alarm may include each of thehistorical alarms identified as being similar to the new alarm or mayinclude a subset of the historical alarms identified as being similar tothe new alarm. In other words, the set of similar alarms similar to thenew alarm, which is determined based on similarity of the alarm featuresof the new alarm to the alarm features of the historical alarms, may befurther refined to obtain the set of similar alarms that is used todetermine an alarm resolution for the new alarm. The set of similaralarms similar to the new alarm may be further refined, to obtain theset of similar alarms that is used to determine the alarm resolution forthe new alarm, based on one or more conditions (e.g., conditions tolimit the number of similar alarms used for determining the alarmresolution of the new alarm, conditions to select a subset of thesimilar alarms that are more likely to be useful in determining an alarmresolution of the new alarm, and the like). In one example, where theset of similar alarms similar to the new alarm includes more than athreshold number of similar alarms (e.g., a threshold of k similaralarms), the top k similar alarms may be selected, from the set ofsimilar alarms determined based on the similarity metric, to form theset of similar alarms (e.g., the k similar alarms having the greatestsimilarity values). In one example, after the set of similar alarmssimilar to the new alarm is determined based on the similarity metric, asubset of the similar alarms may be selected based on one or moreconditions (e.g., selecting any of the similar alarms having automatedresolutions associated therewith). In one example, the set of similaralarms determined based on the similarity metric may be further refinedbased on a combination of such conditions (e.g., selecting the top ksimilar alarms in terms of greatest similarity values that also haveautomated resolutions associated therewith). It will be appreciated thatthe set of similar alarms similar to the new alarm, which is determinedbased on the similarity metric, may be further refined in various otherways to obtain the set of similar alarms that is used to determine analarm resolution for the new alarm.

In the example process 200, the AMS 201 determines similar alarminformation 230 of the set of similar alarms similar to the new alarm.The similar alarm information 230 of the set of similar alarms similarto the new alarm may include at least a portion of the historical alarminformation 210 of the similar alarms (e.g., the historical alarms(e.g., including the alarm features of the historical alarms), the alarmfingerprints of the historical alarms (e.g., hashes of the alarmfeatures of the historical alarms), the encoded alarm fingerprints ofthe historical alarms, alarm resolution information for the historicalalarms (e.g., alarm resolution types of the historical alarms,descriptions of the alarm resolutions of the historical alarms, sets ofalarm resolution actions performed for resolving the historical alarms,and the like), and so forth), the similarity values determined for thesimilar alarms, and so forth. It will be appreciated that the similaralarm information 230 for the set of similar alarms similar to the newalarm may include various other types of information.

In the example process 200, the AMS 201 determines an alarm resolution240 of the new alarm. The alarm resolution 240 of the new alarm may bedetermined based on the similar alarm information 230 of the set ofsimilar alarms (e.g., using the alarm resolution of the similar alarmhaving the highest similarity value). The alarm resolution of the newalarm may be determined based on the new alarm information 220 of thenew alarm and the similar alarm information 230 of the set of similaralarms (e.g., using the alarm resolutions of one or more of the similaralarms and the alarm features of the new alarm to construct the alarmresolution of the new alarm). It will be appreciated, as discussedfurther below, that the similar alarm information 230 of the similaralarms in the set of similar alarms and the new alarm information 220 ofthe new alarm may be used in various ways for determining the alarmresolution 240 of the new alarm. The alarm resolution of the new alarmmay include various types of alarm resolutions which may be used toresolve various types of alarms which may be associated with acommunication network. In one example, the alarm resolution 240 of thenew alarm may be determined by an alarm resolution function 203 of theAMS 201.

In one example, the alarm resolution 240 of the new alarm may bedetermined by using the alarm resolution, or a modified version of thealarm resolution, of one of the historical alarms in the set of similaralarms. For example, the alarm resolution of the similar alarm havingthe highest similarity value may be used as the alarm resolution 240 ofthe new alarm or may be used as a basis for determining the alarmresolution 240 of the new alarm (e.g., the alarm resolution of thesimilar alarm may be modified, based on analysis of the alarm featuresof the similar alarm and the alarm features of the new alarm, to formthe alarm resolution for the new alarm).

In one example, the alarm resolution 240 of the new alarm may bedetermined by using the alarm resolutions, or modified versions of thealarm resolutions, of multiple historical alarms in the set of similaralarms (e.g., the similar alarms having the highest similarity values,the similar alarms having the highest similarity values and automatedresolutions, and the like). For example, a subset of the similar alarms,including the similar alarms having the highest similarity values andautomated resolutions, may be analyzed in order to determine the alarmresolution 240 of the new alarm (e.g., analyzing the alarm resolutionsof the selected subset of similar alarms to determine common aspects ofthe alarm resolutions and processing the common aspects of the alarmresolutions to determine the alarm resolution 240 of the new alarm).

In one example, the alarm resolution 240 of the new alarm may bedetermined based on application of machine learning techniques toanalyze the new alarm information 220 of the new alarm and the similaralarm information 230 of the set of similar alarms. The machine learningtechniques may be used to construct the alarm resolution 240 of the newalarm based on analysis of the alarm features of the new alarm and thealarm resolutions of the similar alarms in the set of similar alarms.

In one example, the alarm resolution 240 of the new alarm may includeblocking a device (e.g., an end user device identified as beingmalicious where the new alarm is a security alarm), reconfiguring one ormore network devices (e.g., establishing or terminating connections,allocating or deallocating resources, and the like), notifying one ormore entities (e.g., a customer, a user of an asset, an owner of anasset, and the like), and so forth. It will be appreciated that variousother types of alarm resolutions may be used for resolving the newalarm.

In the example process 200, the AMS 201 initiates, based on the alarmresolution 240 of the new alarm, an alarm resolution action forproviding the alarm resolution of the new alarm. For example, where thealarm resolution 240 of the new alarm includes blocking an end userdevice, the AMS 201 may initiate one or more messages to one or morenetwork devices for causing the device to be blocked (e.g., sending amessage to a network device of a core network to block the device,sending a message to a network device of an access network to block thedevice, and the like). For example, where the alarm resolution 240 ofthe new alarm includes reconfiguring a network device, the AMS 201 mayinitiate one or more messages to the network device that are configuredto cause a reconfiguration of the network device (e.g., establishment ortermination of a connection on the network device, allocation ordeallocation of resources on the network device, and the like). Forexample, where the alarm resolution 240 of the new alarm includes anotification, the AMS 201 may initiate one or more notification messagesto one or more entities (e.g., a customer, a user of an asset, an ownerof an asset, and the like). It will be appreciated that the AMS 201 maybe configured to initiate various other resolution actions configured tosupport resolution of the new alarm.

It will be appreciated that the example process 200 may be furtherunderstood with respect to an example. For example, assume that a newsecurity alarm is received by the AMS 201. The new security alarmincludes some alarm features describing the security alarm, such as anIP address associated with a malicious message of a malicious devicewhich triggered the security alarm, an indication of a device to whichthe malicious message was directed, an indication of a protocol of themalicious message, and a malware name and a malware signature associatedwith the malicious message. The AMS 201 uses the IP address includedwithin the security alarm to determine a device identifier of themalicious device. The AMS 201 generates an alarm fingerprint includinghashed versions of the six alarm features related to the security alarm:namely, the IP address of the malicious device, the device identifier ofthe malicious device, the device identifier of the attacked device, theprotocol type of the protocol, the malware name, and the malwaresignature. The AMS 201 compares the alarm fingerprint of the securityalarm with alarm fingerprints of thousands of previous alarms handled bythe AMS 201 and identifies eight similar alarms having a certain levelof similarity to the security alarm. The AMS 201 analyzes the alarmfeatures of the security alarm and the alarm features of the similaralarms, as well as the alarm resolutions of the similar alarms, todetermine the alarm resolution for the security alarm. For example, theAMS 201 may determine, from the historical alarm information of thesimilar alarms, that the same device was attacked with the same malwareby other malicious devices in the past. The alarm resolutions of thosesimilar alarms indicate that blocking of the malicious devicesassociated with those similar alarms, using a particular type ofblocking at a particular location within the network, prevented furtherattacks by those malicious devices. The AMS 201 may then determine thatthe alarm resolution for the security alarm is to block the maliciousdevice of the security alarm by adding the device identifier of themalicious device to a blacklist at a particular element in the corenetwork portion of the communication network. The AMS 201 may send amessage to a network controller to cause the network controller totrigger configuration of the network add the device identifier of themalicious device to the blacklist. In this manner, previous resolutionsof similar alarms enabled automated, more efficient resolution of thenew security alarm.

In the example process 200, the AMS 201 may determine a refinement ofthe similarity metric for use in handling future alarms. The refinementof the similarity metric may be based on the alarm resolution process(e.g., the alarm resolution 240 of the new alarm and/or various aspectsof the process by which the alarm resolution 240 of the new alarm wasdetermined by the alarm resolution function 203 and/or the process bywhich new alarm was resolved by the AMS 201, resolution of previousalarms now considered to be part of the set of historical alarms and/orvarious aspects of the processes by which the previous alarms wereresolved, and so forth). The refinement of the similarity metric may bebased on one or more other factors, such as one or more factors relatedto the volume of alarms being observed and handled, one or more factorsrelated to the types of alarms being observed and handled, one or moretemporal factors (e.g., time of day, day of the week, day of the yearand so forth, where such temporal factors may be related to the volumeof alarms being received, the types of alarms being observed andhandled, and so forth), and the like. The refinement of the similaritymetric may include changing a manner in which the similarity value ofthe similarity metric is computed, changing a similarity threshold usedfor determining similarity based on the similarity metric, changing thetype of similarity metric that is used, and the like). For example,where a larger than usual volume of alarms is observed or expected, thesimilarity threshold used for determining similarity of new alarms tohistorical alarms may be raised in order to limit the number of similaralarms which need to be evaluated to determine the alarm resolutions ofthe new alarms. For example, where a larger than usual volume of alarmsof a particular type is observed or expected, the similarity thresholdused for determining similarity of new alarms to historical alarms maybe lowered to ensure that a reasonable number of historical alarms areidentified as being similar in order to provide similar alarms which maybe evaluated to determine alarm resolution of new alarms of that alarmtype. It will be appreciated that the similarity metric may be refinedbased on various other inputs, in various other ways, and the like. Itwill be appreciated that this may provide a feedback loop such thatknowledge obtained based on handling of alarms may be used to improvethe similarity metric applied for identification of similar historicalalarms during handling of new alarms in the future and, thus, alsoimprove the handling of new alarms in the future.

In the example process 200, the AMS 201, in addition to supportinghandling of new alarms by the communication network provider, may makecertain portions of alarm information available to certain third parties(e.g., customers of the communication network provider, such asenterprise customers, or other suitable third parties). The AMS 201 maymake alarm fingerprints of alarms available to third parties. The AMS201 may make the alarm fingerprints available to the third parties in anencoded format to protect the alarm information that is made availableto the third parties. In one example, the encoding of the alarmfingerprints may be performed using Bloom filters, although it will beappreciated that other encoding mechanisms may be used for encoding thealarm fingerprints. The AMS 201 may make the encoded alarm fingerprintsavailable to the third parties by providing the encoded alarmfingerprints to the third parties as the alarm fingerprints aredetermined, by responding to queries from the third parties, and soforth. This is depicted as encoded alarm fingerprints 250.

In one example, the communication network provider may provide encodedalarm fingerprints 250 to third parties as the alarm fingerprints aregenerated during handling of new alarms (here, the encoded alarmfingerprints 250 may represent the set encoded alarm fingerprintsprovided as they are generated). The encoding of alarm fingerprints maybe based on various types of encoding mechanisms. In one example, theencoding of alarm fingerprints may be based on use of data structuresconfigured to indicate which elements are present in a data set withoutrevealing the details of the elements (e.g., Bloom filters of othersimilar data structures). It will be appreciated that the use of suchdata structures for encoding alarm fingerprints enables the third partyto determine which alarm features are present in particular alarmswithout the details of those alarm features being revealed to the thirdparty, thereby protecting the details of the alarms (e.g., customers,applications, IP addresses, and various other types of personalinformation which may be included within or associated with alarms). Forexample, the third party may determine, based on the bits set in theBloom filter encoding the alarm fingerprint of the alarm, that the alarmincludes an IP address, a port number, a protocol, a malware name, and amalware signature, without seeing the details of these features of thealarms. It will be further appreciated that, although the details of thealarms are not revealed to the third parties, the encoded alarmfingerprints 250 still provide information which may be analyzed by thethird parties for various purposes. For example, analyzing the manner inwhich the bits are set in the Bloom filters encoding the alarmfingerprints of alarms may be used to determine various types of encodedalarm fingerprint analytics information, such as alarm volumeinformation (e.g., the volume of alarms including IP addresses, thevolume of alarms including a malware name and a malware signature, andthe like), alarm trend information (e.g., increases or decreases in thenumber of alarms including a malware name and a malware signature,increases or decreases in the number of alarms including a protocol, andthe like), and so forth. In this manner, the third parties may determinewhich alarm features are present in particular alarms without thedetails of those alarm features being revealed to the third party,thereby protecting the details of the alarms (e.g., customers,applications, IP addresses, and various other types of personalinformation which may be included within or associated with alarms).

In one example, the communication network provider (e.g., the AMS 201)may provide encoded alarm fingerprints 250 to third parties based onencoded alarm fingerprint queries received from the third parties. Forexample, a third party may initiate a query to the AMS 201 that includesa target encoded alarm fingerprint and that requests that the AMS 201identify and provide similar encoded alarm fingerprints similar to thetarget encoded alarm fingerprint. The AMS 201 may receive the query fromthe third party including the target encoded alarm fingerprint, comparethe target encoded alarm fingerprint to encoded alarm fingerprintsmaintained by the AMS 201 (e.g. the encoded alarm fingerprint of the newalarm and the encoded alarm fingerprints of the historical alarms) toidentify a set of similar encoded alarm fingerprints, and provide aquery response to the third party that includes the set of similarencoded alarm fingerprints (here, the encoded alarm fingerprints 250 mayrepresent the set of similar encoded alarm fingerprints provided inresponse to a query). The AMS 201 may compare the target encoded alarmfingerprint to encoded alarm fingerprints maintained by the AMS 201, toidentify the set of similar encoded alarm fingerprints, based on use ofa similarity metric which may be used to compare encoded data structures(e.g., Bloom filters, where Bloom filters are used as the encodingmechanism). In one example, the similarity metric that is used tocompare the target encoded alarm fingerprint with one of the encodedalarm fingerprints may be the Tanimoto similarity metric, which may beused to compute the similarity between encoded data structures (e.g.,the similarity between the bit arrays of two Bloom filters of size s,where encoding of the alarm fingerprints is based on use of Bloomfilters). For example, assuming that Bi and Bj are bit arrayscorresponding to alarms Ai and Aj (e.g., Bloom filters encoding thealarm fingerprints representing the alarm features of alarm Ai and thealarm features of alarm Aj), respectively, then the Tanimoto similaritymetric may be computed as: T(Bi,j)=(Σ(Bik{circumflex over( )}Bjk))/(Σ(Bik{hacek over ( )}Bjk)), where 1≤k≤s. Here, if Bi isidentical to Bj (representing the fact that the two alarms have the samealarm features) then T(Bi,Bj)=1, whereas if there is no same bitposition set in the bit vectors of Bi and Bj (representing the fact thatthe two alarms have no similar alarm features) then T(Bi,Bj)=0. It willbe appreciated that, although primarily described with respect to use ofthe Tanimoto similarity metric for identifying the similar encoded alarmfingerprints, various other suitable similarity metrics may be used forcomparing encoded alarm fingerprints to identify the similar encodedalarm fingerprints. It will be appreciated that, although the details ofthe alarms are not revealed to the third parties, the encoded alarmfingerprints still provide information which may be analyzed by thethird parties for various purposes. For example, analyzing the manner inwhich the bits are set in the Bloom filters encoding the alarmfingerprints of alarms may be used to determine whether thecommunication network provider is observing alarms similar to thosebeing observed by the third party (e.g., in their enterprise network,where the third party is a customer of the communication networkprovider). In this manner, the third parties may determine which alarmfeatures are present in particular alarms without the details of thosealarm features being revealed to the third party, thereby protecting thedetails of the alarms (e.g., customers, applications, IP addresses, andvarious other types of personal information which may be included withinor associated with alarms).

It will be appreciated that the third parties may use the encoded alarmfingerprint information (e.g., encoded alarm fingerprints pushed to thethird party entity, encoded alarm fingerprint query results provided tothe third party entity, and the like) and/or encoded alarm fingerprintanalytics information (e.g., results of trend analytics based on encodedalarm fingerprints) for various purposes. In one example, a third partyentity may use the encoded alarm fingerprint information and/or theencoded alarm fingerprint analytics information to initiate one or moreactions in a third party network of the third party (e.g., aconfiguration action, a reconfiguration action, a security action, anotification action, and the like). In one example, a third party entitymay use the encoded alarm fingerprint information and/or the encodedalarm fingerprint analytics information to request that thecommunication network provider perform one or more actions in thecommunication network on behalf of the third party (e.g., aconfiguration action, a reconfiguration action, a security action, andthe like). It will be appreciated that the third parties may use theencoded alarm fingerprint information and/or the encoded alarmfingerprint analytics information for various other purposes even thoughthe third party entities are unable to access the details of the alarmsupon which the encoded alarm fingerprint information and, thus, theencoded alarm fingerprint analytics information, is based.

It will be appreciated that, although examples presented herein describescenarios in which certain information may be provided from thecommunication network provider to third party entities, thecommunication network provider will take all necessary precautions toprotect the privacy of any information which may be provided to thirdparties. Namely, as discussed above, the encoding of the alarmfingerprints which may be provided from the communication networkprovider to third party entities enables the third party entities toreceive information about the types of alarm features which are beingobserved in alarms without obtaining any of the details of the alarmfeatures which are being observed in alarms, thereby protecting anypersonal or private information which may be included in the alarms.

FIG. 3 illustrates a flowchart of an example method for supportingmanagement and resolution of alarms of a communication network. In oneexample, the method 300 is performed by an alarm management system(e.g., the AMS 190 of FIG. 1) or by one or more components thereof(e.g., a processor, or processors, performing operations stored in andloaded from a memory), or by an alarm management system in conjunctionwith one or more other components. In one example, the steps, functions,or operations of method 300 may be performed by a computing device orprocessing system, such as computing system 500 and/or hardwareprocessor element 502 as presented with respect to FIG. 5. For instance,the computing system 500 may represent any one or more components of thesystem 100 and/or the process 200 that is/are configured to perform thesteps, functions and/or operations of the method 300. Similarly, in oneexample, the steps, functions, or operations of method 300 may beperformed by a processing system including one or more computing devicescollectively configured to perform various steps, functions, and/oroperations of the method 300. For instance, multiple instances of thecomputing system 500 may collectively function as a processing system.For illustrative purposes, the method 300 is described in greater detailbelow in connection with an example performed by a processing system.The method 300 begins in step 305 and proceeds to step 310.

At step 310, the processing system may receive a set of alarm featuresof a first alarm. In one example, at least one of the alarm features inthe set of alarm features of the first alarm is retrieved from the firstalarm. In one example, at least one of the alarm features of the set ofalarm features of the first alarm is determined based on aninvestigation of the first alarm.

At step 320, the processing system may generate, based on the set ofalarm features of the first alarm, an alarm fingerprint of the firstalarm. In one example, the generating of the alarm fingerprint of thefirst alarm includes generating, by the processing system based on theset of alarm features of the first alarm, a set of hashes for the firstalarm, wherein the set of hashes for the first alarm includes, for eachof the alarm features in the set of alarm features of the first alarm, arespective hash of the respective alarm feature and generating, by theprocessing system based on the set of hashes for the first alarm, thealarm fingerprint of the first alarm, wherein the alarm fingerprint ofthe first alarm includes a data structure including the set of hashesfor the first alarm.

At step 330, the processing system may obtain, for a set of historicalalarms, a set of historical alarm information including, for each of thehistorical alarms in the set of historical alarms, a respective alarmfingerprint of the historical alarm and a respective alarm resolution ofthe historical alarm.

At step 340, the processing system may determine, based on the alarmfingerprint of the first alarm and the respective alarm fingerprints ofthe historical alarms, a set of similar alarms including one or more ofthe historical alarms determined to be similar to the first alarm,wherein the determining of the set of similar alarms includes comparingthe alarm fingerprint of the first alarm with the respective alarmfingerprints of the historical alarms, based on a similarity metric, toobtain a respective set of similarity values associated with therespective historical alarms. In one example, for at least one of thealarm fingerprints of at least one of the historical alarms, therespective similarity value associated with the respective historicalalarm is based on a distance between the alarm fingerprint of the firstalarm and the respective alarm fingerprint of the respective historicalalarm. In one example, the similarity metric includes a distance-basedmetric. In one example, the distance-based metric includes a Jaccardsimilarity metric. In one example, the set of similar alarms isdetermined based on a similarity threshold associated with thesimilarity metric. In one example, the similarity threshold is based onan analysis of at least a portion of the historical alarms in the set ofhistorical alarms. In one example, the determining of the set of similaralarms is based on, for at least one of the historical alarms, whetherthe resolution of the respective historical alarm includes an automatedresolution.

At step 350, the processing system may determine, based on one or moresimilarity values of respective one or more historical alarms in the setof similar alarms and respective one or more alarm resolutions of therespective one or more historical alarms in the set of similar alarms,an alarm resolution of the first alarm. In one example, the determiningof the alarm resolution of the first alarm includes selecting, by theprocessing system from the set of similar alarms based on the respectiveone or more similarity values of the respective one or more historicalalarms in the set of similar alarms and the respective one or more alarmresolutions of the respective one or more historical alarms in the setof similar alarms, one of the similar alarms and determining, by theprocessing system based on the respective alarm resolution of the one ofthe similar alarms, the alarm resolution of the first alarm. In oneexample, the one of the similar alarms includes one of the historicalalarms, from ones of the similar alarms in the set of similar alarms forwhich the respective alarm resolution of the respective historical alarmincludes an automated resolution, having a greatest similarity value.

At step 360, the processing system may initiate, based on the alarmresolution of the first alarm, an alarm resolution action configured toresolve the first alarm. In one example, the alarm resolution actionincludes at least one of a blocking of an end device, a configuration ofa network device, and a sending of a notification related to a device.Following step 360, the method 300 proceeds to step 395 where the method300 ends.

It should also be noted that the method 300 may be expanded to includeadditional steps, or may be modified to replace steps with differentsteps, to combine steps, to omit steps, to perform steps in a differentorder, and so forth. It will be appreciated that these and othermodifications are all contemplated within the scope of the presentdisclosure.

In addition, although not expressly specified above, one or more stepsof the method 300 may include a storing, displaying, and/or outputtingsteps as required for a particular application. In other words, anydata, records, fields, and/or intermediate results discussed in themethod can be stored, displayed, and/or outputted to another device asrequired for a particular application. Furthermore, operations, steps,or blocks in FIG. 3 that recite a determining operation or involve adecision do not necessarily require that both branches of thedetermining operation be practiced. In other words, one of the branchesof the determining operation can be deemed as an optional step. Thus,the use of the term “optional step” is intended to only reflectdifferent variations of a particular illustrative example and is notintended to indicate that steps not labelled as optional steps are to bedeemed to be essential steps. Furthermore, operations, steps or blocksof the above described method(s) can be combined, separated, and/orperformed in a different order from that described above, withoutdeparting from the examples of the present disclosure.

FIG. 4 illustrates a flowchart of an example method for supportingmanagement and resolution of alarms of a communication network. In oneexample, the method 400 is configured to enable a third party entityassociated with a communication network provider to obtain alarminformation from the communication network provider. In one example, themethod 400 may be performed by an element of the third party entity(e.g., a management system, a network element, and the like) associatedwith the communication network provider, or by one or more componentsthereof (e.g., a processor, or processors, performing operations storedin and loaded from a memory). In one example, the steps, functions, oroperations of method 400 may be performed by a computing device orprocessing system, such as computing system 500 and/or hardwareprocessor element 502 as presented with respect to FIG. 5. For instance,the computing system 500 may represent any one or more components of thesystem 100 and/or the process 200 that is/are configured to perform thesteps, functions and/or operations of the method 400. Similarly, in oneexample, the steps, functions, or operations of method 400 may beperformed by a processing system including one or more computing devicescollectively configured to perform various steps, functions, and/oroperations of the method 400. For instance, multiple instances of thecomputing system 500 may collectively function as a processing system.For illustrative purposes, the method 400 is described in greater detailbelow in connection with an example performed by a processing system.The method 400 begins in step 405 and proceeds to step 410.

At step 410, the processing system of a first communication network mayreceive a set of alarm features of a first alarm. In one example, thesecond communication network is operated by a communication networkprovider and the first communication network is operated by a thirdparty entity associated with the communication network provider (e.g.,an enterprise network of an enterprise customer of the communicationnetwork provider). In one example, at least one of the alarm features inthe set of alarm features of the first alarm is determined from thefirst alarm (e.g., one or more alarm features are included in thealarm). In one example, at least one of the alarm features of the set ofalarm features of the first alarm is determined based on aninvestigation of the first alarm.

At step 420, the processing system may determine, based on the set ofalarm features of the first alarm, an alarm fingerprint of the firstalarm. In one example, the alarm fingerprint of the first alarm mayinclude a set of hashes of the alarm features of the first alarm.

At step 430, the processing system may encode the alarm fingerprint ofthe first alarm to form an encoded alarm fingerprint of the first alarm.In one example, the alarm fingerprint of the first alarm may be encoded,to form the encoded alarm fingerprint of the first alarm, based on aBloom filter or other suitable encoding mechanism.

At step 440, the processing system may send, toward the secondcommunication network, a query including the encoded alarm fingerprintof the first alarm.

At step 450, the processing system may receive, from the secondcommunication network, a query response including a set of similarencoded alarm fingerprints associated with a respective set of alarms ofthe second communication network, wherein the similar encoded alarmfingerprints in the set of similar encoded alarm fingerprints areidentified as being similar to the encoded alarm fingerprint of thefirst alarm based on a similarity metric configured to determinesimilarity between encoded data structures. In one example, the similarencoded alarm fingerprints in the set of similar encoded alarmfingerprints may be encoded based on Bloom filters or other suitableencoding mechanisms. In one example, the similarity metric may be aTanimoto similarity metric or other suitable similarity metric.

At step 460, the processing system may determine, based on an analysisof the set of similar encoded alarm fingerprints, a management actionrelated to the first alarm. In one example, the analysis of the set ofsimilar encoded alarm fingerprints may be configured to identify a trendassociated with at least one type of alarm feature. In one example, themanagement action related to the first alarm includes at least one of amanagement action for the first communication network and a managementaction for the second communication network. In one example, themanagement action related to the first alarm includes at least one of adevice blocking action, a configuration action, or a notificationaction.

At step 470, the processing system may initiate the management actionrelated to the first alarm. In one example, the processing system mayinitiate the management action related to the first alarm by at leastone of sending one or more messages to one or more elements of the firstcommunication network or sending one or more messages to one or moreelements of the second communication network. Following step 470, themethod 400 proceeds to step 495 where the method 400 ends.

It should also be noted that the method 400 may be expanded to includeadditional steps, or may be modified to replace steps with differentsteps, to combine steps, to omit steps, to perform steps in a differentorder, and so forth. It will be appreciated that these and othermodifications are all contemplated within the scope of the presentdisclosure.

In addition, although not expressly specified above, one or more stepsof the method 400 may include a storing, displaying, and/or outputtingsteps as required for a particular application. In other words, anydata, records, fields, and/or intermediate results discussed in themethod can be stored, displayed, and/or outputted to another device asrequired for a particular application. Furthermore, operations, steps,or blocks in FIG. 4 that recite a determining operation or involve adecision do not necessarily require that both branches of thedetermining operation be practiced. In other words, one of the branchesof the determining operation can be deemed as an optional step. Thus,the use of the term “optional step” is intended to only reflectdifferent variations of a particular illustrative example and is notintended to indicate that steps not labelled as optional steps are to bedeemed to be essential steps. Furthermore, operations, steps or blocksof the above described method(s) can be combined, separated, and/orperformed in a different order from that described above, withoutdeparting from the examples of the present disclosure.

It will be appreciated that various examples presented herein forsupporting management and resolution of alarms may provide variousadvantages or potential advantages. For example, various examplespresented herein for supporting management and resolution of alarms mayspeed up the analyst vetting process and analyst investigationefficiency. For example, various examples presented herein forsupporting management and resolution of alarms may enable automation ofthe investigating process by automatically applying similar methods,procedures, and results from similar historical alarms. For example,various examples presented herein for supporting management andresolution of alarms may ensure that, as soon as alarm features of a newalarm are collected, even before investigation of the new alarm begins,the analysis entity (e.g., an automated analysis entity or a humananalyst) has access to similar alarms and associated alarm informationwhich provides significantly more context and intelligence to theinvestigation and resolution of the new alarm, thereby reducing theanalysis and, thus, reaction, time due to the improved correlation ofsimilar alarms and associated alarm information. For example, variousexamples presented herein for supporting management and resolution ofalarms may enable significant decreases in alarm reaction and resolutiontimes. For example, various examples presented herein for supportingmanagement and resolution of alarms may enable security automation. Forexample, various examples presented herein for supporting management andresolution of alarms may enable efficient support for analysis andresolution of alarms even as the number of alarms, and the amount ofrelevant data generated for alarm analysis purposes, continued toincrease with increases in numbers of devices being used, numbers ofapplications being used, and network traffic volumes. For example,various examples presented herein for supporting management andresolution of alarms may enable efficient support for analysis andresolution of alarms in a manner supporting prioritization of alarms forrapid identification and handling of the most important alarms,supporting reductions in false positives, and so forth. For example,various examples presented herein for supporting management andresolution of alarms may obviate the need for hiring of additional alarmanalysts to handle increasing numbers of alarms. For example, variousexamples presented herein for supporting management and resolution ofalarms may obviate the need for use of security alarm detectionmechanisms that may tip off the detection mechanisms to maliciousentities (e.g., predefined signatures, labels, and so forth). Forexample, various examples presented herein for supporting management andresolution of alarms may enable creation and use of automatedremediation mechanisms based on similar methods and procedures used forsimilar historical alarms. For example, various examples presentedherein for supporting management and resolution of alarms may enablesharing of alarm information without revealing the contents of thealarms and, thus, while protecting any personal or private informationwhich may be included within or otherwise associated with alarms. Itwill be appreciated that various examples presented herein forsupporting management and resolution of alarms may provide various otheradvantages or potential advantages.

It will be appreciated that, as used herein, the terms “configure,” and“reconfigure” may refer to programming or loading a processing systemwith computer-readable/computer-executable instructions, code, and/orprograms, e.g., in a distributed or non-distributed memory, which whenexecuted by a processor, or processors, of the processing system withina same device or within distributed devices, may cause the processingsystem to perform various functions. Such terms may also encompassproviding variables, data values, tables, objects, or other datastructures or the like which may cause a processing system executingcomputer-readable instructions, code, and/or programs to functiondifferently depending upon the values of the variables or other datastructures that are provided. As referred to herein a “processingsystem” may include a computing device, or computing system, includingone or more processors, or cores (e.g., as illustrated in FIG. 5 anddiscussed below) or multiple computing devices collectively configuredto perform various steps, functions, and/or operations in accordancewith the present disclosure.

FIG. 5 depicts a high-level block diagram of a computing system 500(e.g., a computing device or processing system) specifically programmedto perform the functions described herein. For example, any one or morecomponents or devices illustrated in FIG. 1 or FIG. 2, or described inconnection with the method 300 of FIG. 3 or the method 400 of FIG. 4,may be implemented as the computing system 500. As depicted in FIG. 5,the computing system 500 includes a hardware processor element 502(e.g., including one or more hardware processors, which may include oneor more microprocessor(s), one or more central processing units (CPUs),and/or the like, where the hardware processor element 502 may alsorepresent one example of a “processing system” as referred to herein), amemory 504, (e.g., random access memory (RAM), read only memory (ROM), adisk drive, an optical drive, a magnetic drive, and/or a UniversalSerial Bus (USB) drive), a module 505 for supporting management andresolution of alarms of a communication network, and one or moreinput/output devices 506, e.g., a camera, a video camera, storagedevices, including but not limited to, a tape drive, a floppy drive, ahard disk drive or a compact disk drive, a receiver, a transmitter, aspeaker, a display, a speech synthesizer, an output port, and a userinput device (such as a keyboard, a keypad, a mouse, and the like).

It will be appreciated that, although only one hardware processorelement 502 is shown, the computing system 500 may employ a plurality ofhardware processor elements. Furthermore, although only one computingdevice is shown in FIG. 5, if the method(s) as discussed above isimplemented in a distributed or parallel manner for a particularillustrative example, e.g., the steps of the above method(s) or theentire method(s) are implemented across multiple or parallel computingdevices, then the computing system 500 of FIG. 5 may represent each ofthose multiple or parallel computing devices. Furthermore, one or morehardware processor elements (e.g., hardware processor element 502) canbe utilized in supporting a virtualized or shared computing environment.The virtualized computing environment may support one or more virtualmachines which may be configured to operate as computers, servers, orother computing devices. In such virtualized virtual machines, hardwarecomponents such as hardware processors and computer-readable storagedevices may be virtualized or logically represented. The hardwareprocessor element 502 can also be configured or programmed to causeother devices to perform one or more operations as discussed above. Inother words, the hardware processor element 502 may serve the functionof a central controller directing other devices to perform the one ormore operations as discussed above.

It will be appreciated that the present disclosure can be implemented insoftware and/or in a combination of software and hardware, e.g., usingapplication specific integrated circuits (ASIC), a programmable logicarray (PLA), including a field-programmable gate array (FPGA), or astate machine deployed on a hardware device, a computing device, or anyother hardware equivalents, e.g., computer-readable instructionspertaining to the method(s) discussed above can be used to configure oneor more hardware processor elements to perform the steps, functionsand/or operations of the above disclosed method(s). In one example,instructions and data for the module 505 for supporting management andresolution of alarms of a communication network (e.g., a softwareprogram including computer-executable instructions) can be loaded intomemory 504 and executed by hardware processor element 502 to implementthe steps, functions or operations as discussed above in connection withthe example method 300 or the example method 400. Furthermore, when ahardware processor element executes instructions to perform operations,this could include the hardware processor element performing theoperations directly and/or facilitating, directing, or cooperating withone or more additional hardware devices or components (e.g., aco-processor and the like) to perform the operations.

The processor (e.g., hardware processor element 502) executing thecomputer-readable instructions relating to the above described method(s)can be perceived as a programmed processor or a specialized processor.As such, the module 505 for supporting management and resolution ofalarms (including associated data structures) of the present disclosurecan be stored on a tangible or physical (broadly non-transitory)computer-readable storage device or medium, e.g., volatile memory,non-volatile memory, ROM memory, RAM memory, magnetic or optical drive,device or diskette and the like. Furthermore, a “tangible”computer-readable storage device or medium may include a physicaldevice, a hardware device, or a device that is discernible by the touch.More specifically, the computer-readable storage device or medium mayinclude any physical devices that provide the ability to storeinformation such as instructions and/or data to be accessed by aprocessor or a computing device such as a computer or an applicationserver.

While various examples have been described above, it should beunderstood that they have been presented by way of example only, and notlimitation. Thus, the breadth and scope of a preferred example shouldnot be limited by any of the above-described examples, but should bedefined only in accordance with the following claims and theirequivalents.

What is claimed is:
 1. A method comprising: receiving, by a processingsystem including at least one processor, a set of alarm features of afirst alarm; generating, by the processing system based on the set ofalarm features of the first alarm, an alarm fingerprint of the firstalarm; obtaining, by the processing system for a set of historicalalarms, a set of historical alarm information comprising, for each ofthe historical alarms in the set of historical alarms, a respectivealarm fingerprint of the historical alarm and a respective alarmresolution of the historical alarm; determining, by the processingsystem based on the alarm fingerprint of the first alarm and therespective alarm fingerprints of the historical alarms, a set of similarhistorical alarms including one or more of the historical alarms,wherein the determining of the set of similar historical alarmscomprises comparing the alarm fingerprint of the first alarm with therespective alarm fingerprints of the historical alarms, based on asimilarity metric, to obtain a respective set of similarity valuesassociated with the respective historical alarms; determining, by theprocessing system based on one or more similarity values of respectiveone or more historical alarms in the set of similar historical alarmsand respective one or more alarm resolutions of the respective one ormore historical alarms in the set of similar historical alarms, an alarmresolution of the first alarm; and initiating, by the processing systembased on the alarm resolution of the first alarm, an alarm resolutionaction configured to resolve the first alarm.
 2. The method of claim 1,wherein at least one of the alarm features of the set of alarm featuresof the first alarm is retrieved from the first alarm.
 3. The method ofclaim 1, wherein at least one of the alarm features of the set of alarmfeatures of the first alarm is determined based on an investigation ofthe first alarm.
 4. The method of claim 1, wherein, for at least one ofthe alarm fingerprints of at least one of the historical alarms, therespective similarity value associated with the respective historicalalarm is based on a distance between the alarm fingerprint of the firstalarm and the respective alarm fingerprint of the respective historicalalarm.
 5. The method of claim 1, wherein the similarity metric comprisesa distance-based metric.
 6. The method of claim 5, wherein thedistance-based metric comprises a jaccard similarity metric.
 7. Themethod of claim 1, wherein the set of similar historical alarms isdetermined based on a similarity threshold associated with thesimilarity metric.
 8. The method of claim 7, wherein the similaritythreshold is based on an analysis of at least a portion of thehistorical alarms in the set of historical alarms.
 9. The method ofclaim 1, wherein the determining of the set of similar historical alarmsis based on, for at least one of the historical alarms, whether thealarm resolution of the respective historical alarm comprises anautomated alarm resolution.
 10. The method of claim 1, wherein thedetermining of the alarm resolution of the first alarm comprises:selecting, by the processing system from the set of similar historicalalarms based on the respective one or more similarity values of therespective one or more historical alarms in the set of similarhistorical alarms and the respective one or more alarm resolutions ofthe respective one or more historical alarms in the set of similarhistorical alarms, one of the similar historical alarms; anddetermining, by the processing system based on the respective alarmresolution of the one of the similar historical alarms, the alarmresolution of the first alarm.
 11. The method of claim 10, wherein theone of the similar historical alarms comprises, from ones of the similarhistorical alarms in the set of similar historical alarms for which therespective alarm resolution of the respective historical alarm comprisesan automated alarm resolution, one of the historical alarms having agreatest similarity value.
 12. The method of claim 1, wherein the alarmresolution action comprises at least one of: a blocking of an enddevice, a configuration of a network device, or a sending of anotification related to a device.
 13. An apparatus comprising: aprocessing system including at least one processor; and acomputer-readable medium storing instructions which, when executed bythe processing system, cause the processing system to performoperations, the operations comprising: receiving a set of alarm featuresof a first alarm; generating, based on the set of alarm features of thefirst alarm, an alarm fingerprint of the first alarm; obtaining, for aset of historical alarms, a set of historical alarm informationcomprising, for each of the historical alarms in the set of historicalalarms, a respective alarm fingerprint of the historical alarm and arespective alarm resolution of the historical alarm; determining, basedon the alarm fingerprint of the first alarm and the respective alarmfingerprints of the historical alarms, a set of similar historicalalarms including one or more of the historical alarms, wherein thedetermining of the set of similar historical alarms comprises comparingthe alarm fingerprint of the first alarm with the respective alarmfingerprints of the historical alarms, based on a similarity metric, toobtain a respective set of similarity values associated with therespective historical alarms; determining, based on one or moresimilarity values of respective one or more historical alarms in the setof similar historical alarms and respective one or more alarmresolutions of the respective one or more historical alarms in the setof similar historical alarms, an alarm resolution of the first alarm;and initiating, based on the alarm resolution of the first alarm, analarm resolution action configured to resolve the first alarm.
 14. Theapparatus of claim 13, wherein at least one of the alarm features of theset of alarm features of the first alarm is retrieved from the firstalarm.
 15. A method comprising: receiving, by a processing system of afirst communication network, a set of alarm features of a first alarm;determining, by the processing system based on the set of alarm featuresof the first alarm, an alarm fingerprint of the first alarm; encoding,by the processing system, the alarm fingerprint of the first alarm toform an encoded alarm fingerprint of the first alarm; sending, by theprocessing system toward a second communication network, a queryincluding the encoded alarm fingerprint of the first alarm; receiving,by the processing system from the second communication network, a queryresponse including a set of similar encoded alarm fingerprintsassociated with a respective set of alarms of the second communicationnetwork, wherein the similar encoded alarm fingerprints in the set ofsimilar encoded alarm fingerprints are identified as being similar tothe encoded alarm fingerprint of the first alarm based on a similaritymetric configured to determine similarity between encoded datastructures; determining, by the processing system based on an analysisof the set of similar encoded alarm fingerprints, a management actionrelated to the first alarm; and initiating, by the processing system,the management action related to the first alarm.
 16. The method ofclaim 15, wherein the encoded alarm fingerprint of the first alarm andthe similar encoded alarm fingerprints in the set of similar encodedalarm fingerprints are encoded based on respective bloom filters. 17.The method of claim 15, wherein the similarity metric comprises atanimoto similarity metric.
 18. The method of claim 15, wherein theanalysis of the similar encoded alarm fingerprints in the set of similarencoded alarm fingerprints is configured to identify a trend associatedwith at least one type of alarm feature.
 19. The method of claim 15,wherein the management action related to the first alarm comprises atleast one of: a management action for the first communication network ora management action for the second communication network.
 20. The methodof claim 15, wherein the second communication network is operated by acommunication network provider, wherein the first communication networkis operated by a third party entity associated with the communicationnetwork provider.